httpd-docs mailing list archives

On 3/7/2011 5:31 PM, Noel Butler wrote:
> On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote:
>> Umm... I'm no crypto guru, but I've never heard of MD5 having variants, let alone
a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache Runtime, afaik - part of the build
kit for apache modules.
>>
>> I strongly suspect your problem is on another level.
>>
>>
>
> Actually, he is correct. Though, the Apache variant of md5 is a chosen improved security
> method, it really shouldn't be called MD5 since it is not compatible with, well, base
MD5 :)
>
> http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
>
> MD5
>
> "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times)
MD5
> digest of various combinations of a random 32-bit salt and the password. See the APR
> source file apr_md5.c
> <http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co>
for
> the details of the algorithm.
>
>
> *MD5*
>
> $ openssl passwd -apr1 myPassword
> $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
>
>
> I agree Apache should probably not be calling it MD5. Perhaps it needs renaming and MD5
as
> we all know it, be, MD5.
>
> and for this reason I will xpost to devs list for some clear (maybe) explanation as to
why
> it was called this.
>
> I don't think Edward's questioning is unreasonable, given the popularity of LAMP
> combination, they are touted to work hand in hand, but as he pointed out, they are not,
> even exampled by openssl wanting -apr1 not -md5 to be compatible, so I can see how
> this would be a problem with MySQL insert of md5(foo) not be recognised by an Apache
md5
> wanting.
But what does this have to do with httpd? At best, you are suggesting a docs improvement.
Otherwise this is on the language you are using and not an ASF issue... but the desired
behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you a Perl
example... and apache_md5_crypt() is unambiguous.
http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org